Professional Documents
Culture Documents
0 & Luck007
By
ColdFever
AoRE team
Abstract:
These two packers are using the same methods to protect the executable
file. When I say the “same” I really mean the exactly same method in the
exact order. I don’t know if they are from the same person. Anyhow, in this
tutorial you will learn how to unpack it.
Introduction:
At the beginning of the tutorial I will show you both targets, but I will
finish with one of them.
Part I:
Getting the dump
This is Drony’s EP
This is Luck007’s EP
I know different EP codes but still the same protection methods just
continue. ☺
Now, use Ollydbg dump plug-in and change the Start Address, the Size,
and the OEP before you click “Dump”.
If you don’t know why we need the above the changes go find something
else to do with your time, “Cracking is not for you” LOL ☺
Part II:
Fixing the dump
I have already talked about similar case where we had to fix the IAT table
when ImpRec reads the wrong image base. See my tutorial on “Extracting
embedded file from within MoleBox Executables” for more clarifications.
Run ImpRec, select the program, place our values, and click “Get Imports”
We need to fix the IAT table before we could fix the dump. So, click “Save
Tree” and save it with any name. Open the text file in Notepad and use
the replace command to change the address
Save the changes in the text file. Now, click “Load Tree” in ImpRec and
load the text file
Greetings:
To all my friends in AoRE Forum
Tuts4you, ARteam, Snd, CORE, TSRh, and all the cracking groups
To you for taking the time to read this ☺